From 7d2371a297c776370f05b9917a58764d2efe15ba Mon Sep 17 00:00:00 2001 From: ahmed Date: Fri, 29 Sep 2023 17:36:23 -0400 Subject: [PATCH] add tristate verification to postman --- pkg/detectors/postman/postman.go | 62 +++++++++++++++++++-------- pkg/detectors/postman/postman_test.go | 58 ++++++++++++++++++++----- 2 files changed, 91 insertions(+), 29 deletions(-) diff --git a/pkg/detectors/postman/postman.go b/pkg/detectors/postman/postman.go index e5cdfc6f557d..227071fa3153 100644 --- a/pkg/detectors/postman/postman.go +++ b/pkg/detectors/postman/postman.go @@ -2,6 +2,7 @@ package postman import ( "context" + "fmt" "net/http" "regexp" "strings" @@ -11,13 +12,17 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" ) -type Scanner struct{} +type Scanner struct { + client *http.Client +} + +const verifyURL = "https://api.getpostman.com/collections" // Ensure the Scanner satisfies the interface at compile time. var _ detectors.Detector = (*Scanner)(nil) var ( - client = common.SaneHttpClient() + defaultClient = common.SaneHttpClient() // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. keyPat = regexp.MustCompile(`\b(PMAK-[a-zA-Z-0-9]{59})\b`) @@ -47,31 +52,50 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.getpostman.com/collections", nil) - if err != nil { - continue - } - req.Header.Add("x-api-key", resMatch) - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } else { - // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key. - if detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { - continue - } - } - } + client := s.getClient() + isVerified, verificationErr := verifyPostman(ctx, client, resMatch) + s1.Verified = isVerified + s1.VerificationError = verificationErr } + if !s1.Verified && detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { + continue + } results = append(results, s1) } return results, nil } +func (s Scanner) getClient() *http.Client { + if s.client != nil { + return s.client + } + return defaultClient +} + +func verifyPostman(ctx context.Context, client *http.Client, token string) (bool, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, verifyURL, nil) + if err != nil { + return false, err + } + req.Header.Add("x-api-key", token) + res, err := client.Do(req) + if err != nil { + return false, err + } + defer res.Body.Close() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized: + return false, nil + default: + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + func (s Scanner) Type() detectorspb.DetectorType { return detectorspb.DetectorType_Postman } diff --git a/pkg/detectors/postman/postman_test.go b/pkg/detectors/postman/postman_test.go index 861c3302d0f0..df7a0b402088 100644 --- a/pkg/detectors/postman/postman_test.go +++ b/pkg/detectors/postman/postman_test.go @@ -9,7 +9,8 @@ import ( "testing" "time" - "github.com/kylelemons/godebug/pretty" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/common" @@ -32,11 +33,12 @@ func TestPostman_FromChunk(t *testing.T) { verify bool } tests := []struct { - name string - s Scanner - args args - want []detectors.Result - wantErr bool + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool }{ { name: "found, verified", @@ -54,6 +56,40 @@ func TestPostman_FromChunk(t *testing.T) { }, wantErr: false, }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a postman secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Postman, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(404, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a postman secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Postman, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, { name: "found, unverified", s: Scanner{}, @@ -84,8 +120,7 @@ func TestPostman_FromChunk(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := Scanner{} - got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) if (err != nil) != tt.wantErr { t.Errorf("Postman.FromData() error = %v, wantErr %v", err, tt.wantErr) return @@ -94,9 +129,12 @@ func TestPostman_FromChunk(t *testing.T) { if len(got[i].Raw) == 0 { t.Fatalf("no raw secret present: \n %+v", got[i]) } - got[i].Raw = nil + if (got[i].VerificationError != nil) != tt.wantVerificationErr { + t.Errorf("Postman.FromData() error = %v, wantErr %v", got[i].VerificationError, tt.wantVerificationErr) + } } - if diff := pretty.Compare(got, tt.want); diff != "" { + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "VerificationError") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { t.Errorf("Postman.FromData() %s diff: (-got +want)\n%s", tt.name, diff) } })